Researchers Get Access To Passwords Stored In Locked iPhone In 6 Minutes

iPad 2

PC World is reporting that some security researchers in Germany have managed to get access to passwords stored in a locked iPhone by bypassing iPhone’s passcode lock.

The researchers have apparently used existing exploits that allows a hacker to access an iPhone’s file system even if it is locked.

IDG reports:

In a video that demonstrates the attack, the researchers first jailbreak the phone using existing software tools. They then install an SSH server on the iPhone that allows software to be run on the phone.

The third step is to copy a keychain access script to the phone. The script uses system functions already in the phone to access the keychain entries and, as a final step, outputs the account details it discovers to the attacker.

The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.

The researchers were able to decrypt the passwords stored in the keychain to get access to passwords for Gmail accounts, Microsoft Exchange accounts, voicemail access, VPN and Wi-Fi passwords, as well as some applications passwords.

Researchers at the state-sponsored Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) have the following advice for users of a lost or stolen iOS device:

Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords.

Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts.

Let’s hope that Apple addresses this issue so that even though someone can gain unauthorized access to an iOS device, they can’t decrypt the passwords stored in the keychain.

[via PC World]

Like this post? Share it!

  • John

    If an iphone is lost or stolen, don’t bet on it being returned by the finder. Remote wipe. That’s what it’s there for.

  • pal

    Does this work on phones where user changed root password?

    • Dustin

      Well, Technically i think if you changed your password, they shouldnt be able to gain access, but im sure there is a workaround to that (Brute force password cracker). Whatever happened to the ASLR patch i had heard someone was working on? Whouldnt this have prevented them from getting the password due to the files and such being in random locations and making it harder to find? I see they used a script, im sure they had to know filename and locataions, and decrypt them.

      • Dustin

        Antid0te was the name of it…

    • am

      I sent an email to the two guys who came up with this hack at the Fraunhofer Institute in Germany. I asked if changing the root password could protect a phone against this hack.

      Jens Heider (one of the two “hackers”) responded:
      “Hi – no, the knowledge of the root password is not needed to perform the attack. In step 1 we set our own account.”

      So, there you have it. Even if you have changed the root password, you are just as open for this attack.

    • Brian

      That’s what I’m trying to find out too. I didn’t see the exploit logging in to root but maybe I missed it.

  • Andrew

    Thats pretty crazy shit if i must say

  • MK

    How about u jailbreak your phone and then setup a password

  • BeerDone

    Looks like Apple now got something to back up their jailbreak hatred – read the first two steps.

  • fas

    Its sad that Apple security is going for a toss. This might delay 4.3.

    • John

      It’s not sad and has no bearing on 4.3. ALL devices can be broken into within minutes. Password security isn’t as secure as companies lead you to think. This is nothing new. If you lose your phone, it’s best to remote wipe it. I wouldn’t bet on it being returned to you. Finders keepers.

  • Can we count on a tutorial for this ? wich version of redsn0w is he using ? and how does he install the ssh server on the iphone ? anyway it is an interesting hack , keep up the good work

  • Dino

    Remote wipe does not guarantee the security of you IDevice. If you can get access to the file system via a script then you can use data recovery software and search for the deleted data. Jonathan Zdziarski showed in one of his forensics articles how to recover deleted data. The only way to fix this is to add a new security layer that protects the kernel.

    • John

      A new security layer will just get hacked. This isn’t unique to the iphone. EVERY device is VERY easy to break into with physical access to it.

      The only way to fix this is to keep your phone safe and don’t lose it. Especially if you’re the type who’s paranoid about your data and people using methods to recover wiped data.

    • Tony

      The remote wipe should use a shredding/bleaching process… if it doesn’t it is completely useless an anything can be un-deleted until it is written over… if it is completely written over in two passes it is permanently gone, at least with any technology conceivable within the next 20 years.

  • Dino

    A new security layer will keep the sensitive information in a sandbox if you like. The isolation will make sure that anyone who isn’t supposed to have access doesn’t. The solution is simple: only the root account can access the information and only from within the OS; this means that the device needs to be booted up. The security layer will also deny impersonation of root rights for this operation. So even if the root password is known (alpine) you cannot script any operation. Please don’t curse me for what I am about to say, but Microsoft’s Windows 7 has this kind of security build in. My point is that the security logic is not something top secret. What Apple needs to do is acknowledge that their OS is not bullet proof and they need to improve the security.

    • John

      I could point you to a few simple linux tools that will break windows 7 security in less than 5 mins. The whole point is, physical access. Nothing’s safe if someone has physical access to it. The best security is ourselves.